Management Information Systems Quarterly
Abstract
In recent years, ransomware has become one of the most dangerous cyber threats, with successful attacks causing severe operational disruptions and staggering damages. Rationally speaking, investors should react negatively to firms’ ransomware disclosures, but this may not always be the case. Based on norm theory, we describe a paradoxical phenomenon wherein investors exhibit negative reactions to ransomware hits (i.e., events that led to operational disruptions) but positive reactions to near misses (i.e., events in which operational disruptions were narrowly avoided). The positive reactions occur due to an outcome bias in which near-miss events—events that are objectively negative but less severe than expected—are viewed positively instead of negatively. We tested these predictions by reporting on an investigation of stock market reactions to disclosures of ransomware hits vs. near misses. To do so, we assembled a comprehensive dataset of ransomware incidents disclosed by U.S. public firms. Using the event study method, we estimated abnormal stock market returns and found evidence in support of our predictions. First, in line with expectations, ransomware hits that led to the expected severe impact resulted in stock price drops of -4.40%. However, near misses, where disruptions were avoided, were rewarded with gains of 2.87%, confirming positive instead of negative reactions. This offers new insights into investors’ biased responses to certain cybersecurity incidents. These positive reactions, however, represent a call for caution because, albeit seemingly favorable, they mask underlying risks.